Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / f0dd2e7648ab80a6233077d372b374cf96e38150 / . / tests / test_x509_ext.py
blob: f802300549723906272de4a67241de85e1ae11cc [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
90 def test_eq(self):
91 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
92 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
93 assert ci1 == ci2
94
95 def test_ne(self):
96 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
97 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
98 assert ci1 != ci2
99 assert ci1 != object()
100
101 def test_repr(self):
102 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 assert repr(ci) == (
104 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
105 ")>])>)>"
106 )
107
108 def test_get_values_for_type(self):
109 ci = x509.CertificateIssuer(
110 [x509.DNSName(u"cryptography.io")]
111 )
112 names = ci.get_values_for_type(x509.DNSName)
113 assert names == [u"cryptography.io"]
114
115
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]116class TestCRLReason(object):
117 def test_invalid_reason_flags(self):
118 with pytest.raises(TypeError):
119 x509.CRLReason("notareason")
120
121 def test_eq(self):
122 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
123 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
124 assert reason1 == reason2
125
126 def test_ne(self):
127 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
128 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
129 assert reason1 != reason2
130 assert reason1 != object()
131
132 def test_repr(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 assert repr(reason1) == (
135 "<CRLReason(reason=ReasonFlags.unspecified)>"
136 )
137
138
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]139class TestInvalidityDate(object):
140 def test_invalid_invalidity_date(self):
141 with pytest.raises(TypeError):
142 x509.InvalidityDate("notadate")
143
144 def test_eq(self):
145 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
146 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
147 assert invalid1 == invalid2
148
149 def test_ne(self):
150 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
151 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
152 assert invalid1 != invalid2
153 assert invalid1 != object()
154
155 def test_repr(self):
156 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
157 assert repr(invalid1) == (
158 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
159 )
160
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]161 def test_hash(self):
162 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
163 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
164 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
165 assert hash(invalid1) == hash(invalid2)
166 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]167
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]168
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]169class TestNoticeReference(object):
170 def test_notice_numbers_not_all_int(self):
171 with pytest.raises(TypeError):
172 x509.NoticeReference("org", [1, 2, "three"])
173
174 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]175 with pytest.raises(TypeError):
176 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]177
178 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]179 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]180
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]181 if six.PY3:
182 assert repr(nr) == (
183 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
184 "])>"
185 )
186 else:
187 assert repr(nr) == (
188 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
189 "4])>"
190 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]191
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]192 def test_eq(self):
193 nr = x509.NoticeReference("org", [1, 2])
194 nr2 = x509.NoticeReference("org", [1, 2])
195 assert nr == nr2
196
197 def test_ne(self):
198 nr = x509.NoticeReference("org", [1, 2])
199 nr2 = x509.NoticeReference("org", [1])
200 nr3 = x509.NoticeReference(None, [1, 2])
201 assert nr != nr2
202 assert nr != nr3
203 assert nr != object()
204
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]205
206class TestUserNotice(object):
207 def test_notice_reference_invalid(self):
208 with pytest.raises(TypeError):
209 x509.UserNotice("invalid", None)
210
211 def test_notice_reference_none(self):
212 un = x509.UserNotice(None, "text")
213 assert un.notice_reference is None
214 assert un.explicit_text == "text"
215
216 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]217 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]218 if six.PY3:
219 assert repr(un) == (
220 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]221 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]222 )
223 else:
224 assert repr(un) == (
225 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]226 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]227 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]228
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]229 def test_eq(self):
230 nr = x509.NoticeReference("org", [1, 2])
231 nr2 = x509.NoticeReference("org", [1, 2])
232 un = x509.UserNotice(nr, "text")
233 un2 = x509.UserNotice(nr2, "text")
234 assert un == un2
235
236 def test_ne(self):
237 nr = x509.NoticeReference("org", [1, 2])
238 nr2 = x509.NoticeReference("org", [1])
239 un = x509.UserNotice(nr, "text")
240 un2 = x509.UserNotice(nr2, "text")
241 un3 = x509.UserNotice(nr, "text3")
242 assert un != un2
243 assert un != un3
244 assert un != object()
245
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]246
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]247class TestPolicyInformation(object):
248 def test_invalid_policy_identifier(self):
249 with pytest.raises(TypeError):
250 x509.PolicyInformation("notanoid", None)
251
252 def test_none_policy_qualifiers(self):
253 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
254 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
255 assert pi.policy_qualifiers is None
256
257 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]258 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]259 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
260 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
261 assert pi.policy_qualifiers == pq
262
263 def test_invalid_policy_identifiers(self):
264 with pytest.raises(TypeError):
265 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
266
267 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]268 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]269 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]270 if six.PY3:
271 assert repr(pi) == (
272 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
273 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]274 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]275 )
276 else:
277 assert repr(pi) == (
278 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
279 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]280 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]281 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]282
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]283 def test_eq(self):
284 pi = x509.PolicyInformation(
285 x509.ObjectIdentifier("1.2.3"),
286 [u"string", x509.UserNotice(None, u"hi")]
287 )
288 pi2 = x509.PolicyInformation(
289 x509.ObjectIdentifier("1.2.3"),
290 [u"string", x509.UserNotice(None, u"hi")]
291 )
292 assert pi == pi2
293
294 def test_ne(self):
295 pi = x509.PolicyInformation(
296 x509.ObjectIdentifier("1.2.3"), [u"string"]
297 )
298 pi2 = x509.PolicyInformation(
299 x509.ObjectIdentifier("1.2.3"), [u"string2"]
300 )
301 pi3 = x509.PolicyInformation(
302 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
303 )
304 assert pi != pi2
305 assert pi != pi3
306 assert pi != object()
307
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]308
309class TestCertificatePolicies(object):
310 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]311 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]312 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
313 with pytest.raises(TypeError):
314 x509.CertificatePolicies([1, pi])
315
316 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]317 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]318 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
319 cp = x509.CertificatePolicies([pi])
320 assert len(cp) == 1
321 for policyinfo in cp:
322 assert policyinfo == pi
323
324 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]325 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]326 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
327 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]328 if six.PY3:
329 assert repr(cp) == (
330 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
331 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
332 "ers=['string'])>])>"
333 )
334 else:
335 assert repr(cp) == (
336 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
337 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
338 "ers=[u'string'])>])>"
339 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]340
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]341 def test_eq(self):
342 pi = x509.PolicyInformation(
343 x509.ObjectIdentifier("1.2.3"), [u"string"]
344 )
345 cp = x509.CertificatePolicies([pi])
346 pi2 = x509.PolicyInformation(
347 x509.ObjectIdentifier("1.2.3"), [u"string"]
348 )
349 cp2 = x509.CertificatePolicies([pi2])
350 assert cp == cp2
351
352 def test_ne(self):
353 pi = x509.PolicyInformation(
354 x509.ObjectIdentifier("1.2.3"), [u"string"]
355 )
356 cp = x509.CertificatePolicies([pi])
357 pi2 = x509.PolicyInformation(
358 x509.ObjectIdentifier("1.2.3"), [u"string2"]
359 )
360 cp2 = x509.CertificatePolicies([pi2])
361 assert cp != cp2
362 assert cp != object()
363
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]364
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]365@pytest.mark.requires_backend_interface(interface=RSABackend)
366@pytest.mark.requires_backend_interface(interface=X509Backend)
367class TestCertificatePoliciesExtension(object):
368 def test_cps_uri_policy_qualifier(self, backend):
369 cert = _load_cert(
370 os.path.join("x509", "custom", "cp_cps_uri.pem"),
371 x509.load_pem_x509_certificate,
372 backend
373 )
374
375 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]376 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]377 ).value
378
379 assert cp == x509.CertificatePolicies([
380 x509.PolicyInformation(
381 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
382 [u"http://other.com/cps"]
383 )
384 ])
385
386 def test_user_notice_with_notice_reference(self, backend):
387 cert = _load_cert(
388 os.path.join(
389 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
390 ),
391 x509.load_pem_x509_certificate,
392 backend
393 )
394
395 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]396 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]397 ).value
398
399 assert cp == x509.CertificatePolicies([
400 x509.PolicyInformation(
401 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
402 [
403 u"http://example.com/cps",
404 u"http://other.com/cps",
405 x509.UserNotice(
406 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
407 u"thing"
408 )
409 ]
410 )
411 ])
412
413 def test_user_notice_with_explicit_text(self, backend):
414 cert = _load_cert(
415 os.path.join(
416 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
417 ),
418 x509.load_pem_x509_certificate,
419 backend
420 )
421
422 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]423 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]424 ).value
425
426 assert cp == x509.CertificatePolicies([
427 x509.PolicyInformation(
428 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
429 [x509.UserNotice(None, u"thing")]
430 )
431 ])
432
433 def test_user_notice_no_explicit_text(self, backend):
434 cert = _load_cert(
435 os.path.join(
436 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
437 ),
438 x509.load_pem_x509_certificate,
439 backend
440 )
441
442 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]443 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]444 ).value
445
446 assert cp == x509.CertificatePolicies([
447 x509.PolicyInformation(
448 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
449 [
450 x509.UserNotice(
451 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
452 None
453 )
454 ]
455 )
456 ])
457
458
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]459class TestKeyUsage(object):
460 def test_key_agreement_false_encipher_decipher_true(self):
461 with pytest.raises(ValueError):
462 x509.KeyUsage(
463 digital_signature=False,
464 content_commitment=False,
465 key_encipherment=False,
466 data_encipherment=False,
467 key_agreement=False,
468 key_cert_sign=False,
469 crl_sign=False,
470 encipher_only=True,
471 decipher_only=False
472 )
473
474 with pytest.raises(ValueError):
475 x509.KeyUsage(
476 digital_signature=False,
477 content_commitment=False,
478 key_encipherment=False,
479 data_encipherment=False,
480 key_agreement=False,
481 key_cert_sign=False,
482 crl_sign=False,
483 encipher_only=True,
484 decipher_only=True
485 )
486
487 with pytest.raises(ValueError):
488 x509.KeyUsage(
489 digital_signature=False,
490 content_commitment=False,
491 key_encipherment=False,
492 data_encipherment=False,
493 key_agreement=False,
494 key_cert_sign=False,
495 crl_sign=False,
496 encipher_only=False,
497 decipher_only=True
498 )
499
500 def test_properties_key_agreement_true(self):
501 ku = x509.KeyUsage(
502 digital_signature=True,
503 content_commitment=True,
504 key_encipherment=False,
505 data_encipherment=False,
506 key_agreement=False,
507 key_cert_sign=True,
508 crl_sign=False,
509 encipher_only=False,
510 decipher_only=False
511 )
512 assert ku.digital_signature is True
513 assert ku.content_commitment is True
514 assert ku.key_encipherment is False
515 assert ku.data_encipherment is False
516 assert ku.key_agreement is False
517 assert ku.key_cert_sign is True
518 assert ku.crl_sign is False
519
520 def test_key_agreement_true_properties(self):
521 ku = x509.KeyUsage(
522 digital_signature=False,
523 content_commitment=False,
524 key_encipherment=False,
525 data_encipherment=False,
526 key_agreement=True,
527 key_cert_sign=False,
528 crl_sign=False,
529 encipher_only=False,
530 decipher_only=True
531 )
532 assert ku.key_agreement is True
533 assert ku.encipher_only is False
534 assert ku.decipher_only is True
535
536 def test_key_agreement_false_properties(self):
537 ku = x509.KeyUsage(
538 digital_signature=False,
539 content_commitment=False,
540 key_encipherment=False,
541 data_encipherment=False,
542 key_agreement=False,
543 key_cert_sign=False,
544 crl_sign=False,
545 encipher_only=False,
546 decipher_only=False
547 )
548 assert ku.key_agreement is False
549 with pytest.raises(ValueError):
550 ku.encipher_only
551
552 with pytest.raises(ValueError):
553 ku.decipher_only
554
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]555 def test_repr_key_agreement_false(self):
556 ku = x509.KeyUsage(
557 digital_signature=True,
558 content_commitment=True,
559 key_encipherment=False,
560 data_encipherment=False,
561 key_agreement=False,
562 key_cert_sign=True,
563 crl_sign=False,
564 encipher_only=False,
565 decipher_only=False
566 )
567 assert repr(ku) == (
568 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
569 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]570 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
571 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]572 )
573
574 def test_repr_key_agreement_true(self):
575 ku = x509.KeyUsage(
576 digital_signature=True,
577 content_commitment=True,
578 key_encipherment=False,
579 data_encipherment=False,
580 key_agreement=True,
581 key_cert_sign=True,
582 crl_sign=False,
583 encipher_only=False,
584 decipher_only=False
585 )
586 assert repr(ku) == (
587 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
588 "cipherment=False, data_encipherment=False, key_agreement=True, k"
589 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
590 "only=False)>"
591 )
592
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]593 def test_eq(self):
594 ku = x509.KeyUsage(
595 digital_signature=False,
596 content_commitment=False,
597 key_encipherment=False,
598 data_encipherment=False,
599 key_agreement=True,
600 key_cert_sign=False,
601 crl_sign=False,
602 encipher_only=False,
603 decipher_only=True
604 )
605 ku2 = x509.KeyUsage(
606 digital_signature=False,
607 content_commitment=False,
608 key_encipherment=False,
609 data_encipherment=False,
610 key_agreement=True,
611 key_cert_sign=False,
612 crl_sign=False,
613 encipher_only=False,
614 decipher_only=True
615 )
616 assert ku == ku2
617
618 def test_ne(self):
619 ku = x509.KeyUsage(
620 digital_signature=False,
621 content_commitment=False,
622 key_encipherment=False,
623 data_encipherment=False,
624 key_agreement=True,
625 key_cert_sign=False,
626 crl_sign=False,
627 encipher_only=False,
628 decipher_only=True
629 )
630 ku2 = x509.KeyUsage(
631 digital_signature=False,
632 content_commitment=False,
633 key_encipherment=False,
634 data_encipherment=False,
635 key_agreement=False,
636 key_cert_sign=False,
637 crl_sign=False,
638 encipher_only=False,
639 decipher_only=False
640 )
641 assert ku != ku2
642 assert ku != object()
643
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]644
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]645class TestSubjectKeyIdentifier(object):
646 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]647 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]648 ski = x509.SubjectKeyIdentifier(value)
649 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]650
651 def test_repr(self):
652 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]653 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]654 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]655 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]656 if six.PY3:
657 assert repr(ext) == (
658 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
659 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
660 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
661 "\\xf7\\xff:\\xc9\')>)>"
662 )
663 else:
664 assert repr(ext) == (
665 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
666 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
667 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
668 "\\xf7\\xff:\\xc9\')>)>"
669 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]670
671 def test_eq(self):
672 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]673 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]674 )
675 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]676 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]677 )
678 assert ski == ski2
679
680 def test_ne(self):
681 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]682 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]683 )
684 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]685 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]686 )
687 assert ski != ski2
688 assert ski != object()
689
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]690 def test_hash(self):
691 ski1 = x509.SubjectKeyIdentifier(
692 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
693 )
694 ski2 = x509.SubjectKeyIdentifier(
695 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
696 )
697 ski3 = x509.SubjectKeyIdentifier(
698 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
699 )
700
701 assert hash(ski1) == hash(ski2)
702 assert hash(ski1) != hash(ski3)
703
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]704
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]705class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]706 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]707 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]708 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]709
710 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]711 dirname = x509.DirectoryName(
712 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]713 x509.NameAttribute(
714 x509.ObjectIdentifier('2.999.1'),
715 u'value1'
716 ),
717 x509.NameAttribute(
718 x509.ObjectIdentifier('2.999.2'),
719 u'value2'
720 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]721 ])
722 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]723 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]724 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]725
726 def test_authority_issuer_none_serial_not_none(self):
727 with pytest.raises(ValueError):
728 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
729
730 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]731 dirname = x509.DirectoryName(
732 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]733 x509.NameAttribute(
734 x509.ObjectIdentifier('2.999.1'),
735 u'value1'
736 ),
737 x509.NameAttribute(
738 x509.ObjectIdentifier('2.999.2'),
739 u'value2'
740 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]741 ])
742 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]743 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]744 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]745
746 def test_authority_cert_serial_and_issuer_none(self):
747 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
748 assert aki.key_identifier == b"id"
749 assert aki.authority_cert_issuer is None
750 assert aki.authority_cert_serial_number is None
751
752 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]753 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]754 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]755 )
756 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]757
758 if six.PY3:
759 assert repr(aki) == (
760 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]761 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]762 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]763 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]764 )
765 else:
766 assert repr(aki) == (
767 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]768 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]769 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
770 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]771 )
772
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]773 def test_eq(self):
774 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]775 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]776 )
777 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
778 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]779 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]780 )
781 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
782 assert aki == aki2
783
784 def test_ne(self):
785 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]786 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]787 )
788 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]789 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]790 )
791 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
792 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
793 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
794 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
795 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
796 assert aki != aki2
797 assert aki != aki3
798 assert aki != aki4
799 assert aki != aki5
800 assert aki != object()
801
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]802
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]803class TestBasicConstraints(object):
804 def test_ca_not_boolean(self):
805 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]806 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]807
808 def test_path_length_not_ca(self):
809 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]810 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]811
812 def test_path_length_not_int(self):
813 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]814 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]815
816 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]817 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]818
819 def test_path_length_negative(self):
820 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]821 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]822
823 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]824 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]825 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]826 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]827 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]828
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]829 def test_eq(self):
830 na = x509.BasicConstraints(ca=True, path_length=None)
831 na2 = x509.BasicConstraints(ca=True, path_length=None)
832 assert na == na2
833
834 def test_ne(self):
835 na = x509.BasicConstraints(ca=True, path_length=None)
836 na2 = x509.BasicConstraints(ca=True, path_length=1)
837 na3 = x509.BasicConstraints(ca=False, path_length=None)
838 assert na != na2
839 assert na != na3
840 assert na != object()
841
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]842
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]843class TestExtendedKeyUsage(object):
844 def test_not_all_oids(self):
845 with pytest.raises(TypeError):
846 x509.ExtendedKeyUsage(["notoid"])
847
848 def test_iter_len(self):
849 eku = x509.ExtendedKeyUsage([
850 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
851 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
852 ])
853 assert len(eku) == 2
854 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]855 ExtendedKeyUsageOID.SERVER_AUTH,
856 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]857 ]
858
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]859 def test_repr(self):
860 eku = x509.ExtendedKeyUsage([
861 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
862 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
863 ])
864 assert repr(eku) == (
865 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
866 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
867 "tAuth)>])>"
868 )
869
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]870 def test_eq(self):
871 eku = x509.ExtendedKeyUsage([
872 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
873 ])
874 eku2 = x509.ExtendedKeyUsage([
875 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
876 ])
877 assert eku == eku2
878
879 def test_ne(self):
880 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
881 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
882 assert eku != eku2
883 assert eku != object()
884
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]885
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]886@pytest.mark.requires_backend_interface(interface=RSABackend)
887@pytest.mark.requires_backend_interface(interface=X509Backend)
888class TestExtensions(object):
889 def test_no_extensions(self, backend):
890 cert = _load_cert(
891 os.path.join("x509", "verisign_md2_root.pem"),
892 x509.load_pem_x509_certificate,
893 backend
894 )
895 ext = cert.extensions
896 assert len(ext) == 0
897 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]898 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]899 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]900
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]901 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]902
903 def test_one_extension(self, backend):
904 cert = _load_cert(
905 os.path.join(
906 "x509", "custom", "basic_constraints_not_critical.pem"
907 ),
908 x509.load_pem_x509_certificate,
909 backend
910 )
911 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]912 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]913 assert ext is not None
914 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]915
916 def test_duplicate_extension(self, backend):
917 cert = _load_cert(
918 os.path.join(
919 "x509", "custom", "two_basic_constraints.pem"
920 ),
921 x509.load_pem_x509_certificate,
922 backend
923 )
924 with pytest.raises(x509.DuplicateExtension) as exc:
925 cert.extensions
926
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]927 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]928
929 def test_unsupported_critical_extension(self, backend):
930 cert = _load_cert(
931 os.path.join(
932 "x509", "custom", "unsupported_extension_critical.pem"
933 ),
934 x509.load_pem_x509_certificate,
935 backend
936 )
937 with pytest.raises(x509.UnsupportedExtension) as exc:
938 cert.extensions
939
940 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
941
942 def test_unsupported_extension(self, backend):
943 # TODO: this will raise an exception when all extensions are complete
944 cert = _load_cert(
945 os.path.join(
946 "x509", "custom", "unsupported_extension.pem"
947 ),
948 x509.load_pem_x509_certificate,
949 backend
950 )
951 extensions = cert.extensions
952 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]953
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]954 def test_no_extensions_get_for_class(self, backend):
955 cert = _load_cert(
956 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]957 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]958 ),
959 x509.load_pem_x509_certificate,
960 backend
961 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]962 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]963 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]964 exts.get_extension_for_class(x509.IssuerAlternativeName)
965 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]966
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]967 def test_indexing(self, backend):
968 cert = _load_cert(
969 os.path.join("x509", "cryptography.io.pem"),
970 x509.load_pem_x509_certificate,
971 backend
972 )
973 exts = cert.extensions
974 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame^]975 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]976
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]977 def test_one_extension_get_for_class(self, backend):
978 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]979 os.path.join(
980 "x509", "custom", "basic_constraints_not_critical.pem"
981 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]982 x509.load_pem_x509_certificate,
983 backend
984 )
985 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
986 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]987 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]988
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]989 def test_repr(self, backend):
990 cert = _load_cert(
991 os.path.join(
992 "x509", "custom", "basic_constraints_not_critical.pem"
993 ),
994 x509.load_pem_x509_certificate,
995 backend
996 )
997 assert repr(cert.extensions) == (
998 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
999 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1000 "alse, path_length=None)>)>])>"
1001 )
1002
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1003
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1004@pytest.mark.requires_backend_interface(interface=RSABackend)
1005@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1006class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1007 def test_ca_true_pathlen_6(self, backend):
1008 cert = _load_cert(
1009 os.path.join(
1010 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1011 ),
1012 x509.load_der_x509_certificate,
1013 backend
1014 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1015 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1016 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1017 )
1018 assert ext is not None
1019 assert ext.critical is True
1020 assert ext.value.ca is True
1021 assert ext.value.path_length == 6
1022
1023 def test_path_length_zero(self, backend):
1024 cert = _load_cert(
1025 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1026 x509.load_pem_x509_certificate,
1027 backend
1028 )
1029 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1030 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1031 )
1032 assert ext is not None
1033 assert ext.critical is True
1034 assert ext.value.ca is True
1035 assert ext.value.path_length == 0
1036
1037 def test_ca_true_no_pathlen(self, backend):
1038 cert = _load_cert(
1039 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1040 x509.load_der_x509_certificate,
1041 backend
1042 )
1043 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1044 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1045 )
1046 assert ext is not None
1047 assert ext.critical is True
1048 assert ext.value.ca is True
1049 assert ext.value.path_length is None
1050
1051 def test_ca_false(self, backend):
1052 cert = _load_cert(
1053 os.path.join("x509", "cryptography.io.pem"),
1054 x509.load_pem_x509_certificate,
1055 backend
1056 )
1057 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1058 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1059 )
1060 assert ext is not None
1061 assert ext.critical is True
1062 assert ext.value.ca is False
1063 assert ext.value.path_length is None
1064
1065 def test_no_basic_constraints(self, backend):
1066 cert = _load_cert(
1067 os.path.join(
1068 "x509",
1069 "PKITS_data",
1070 "certs",
1071 "ValidCertificatePathTest1EE.crt"
1072 ),
1073 x509.load_der_x509_certificate,
1074 backend
1075 )
1076 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1077 cert.extensions.get_extension_for_oid(
1078 ExtensionOID.BASIC_CONSTRAINTS
1079 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1080
1081 def test_basic_constraint_not_critical(self, backend):
1082 cert = _load_cert(
1083 os.path.join(
1084 "x509", "custom", "basic_constraints_not_critical.pem"
1085 ),
1086 x509.load_pem_x509_certificate,
1087 backend
1088 )
1089 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1090 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1091 )
1092 assert ext is not None
1093 assert ext.critical is False
1094 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1095
1096
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1097class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1098 @pytest.mark.requires_backend_interface(interface=RSABackend)
1099 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1100 def test_subject_key_identifier(self, backend):
1101 cert = _load_cert(
1102 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1103 x509.load_der_x509_certificate,
1104 backend
1105 )
1106 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1107 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1108 )
1109 ski = ext.value
1110 assert ext is not None
1111 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1112 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1113 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1114 )
1115
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1116 @pytest.mark.requires_backend_interface(interface=RSABackend)
1117 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1118 def test_no_subject_key_identifier(self, backend):
1119 cert = _load_cert(
1120 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1121 x509.load_pem_x509_certificate,
1122 backend
1123 )
1124 with pytest.raises(x509.ExtensionNotFound):
1125 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1126 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1127 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1128
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1129 @pytest.mark.requires_backend_interface(interface=RSABackend)
1130 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1131 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1132 cert = _load_cert(
1133 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1134 x509.load_der_x509_certificate,
1135 backend
1136 )
1137 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1138 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1139 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1140 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1141 cert.public_key()
1142 )
1143 assert ext.value == ski
1144
1145 @pytest.mark.requires_backend_interface(interface=DSABackend)
1146 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1147 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1148 cert = _load_cert(
1149 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1150 x509.load_pem_x509_certificate,
1151 backend
1152 )
1153
1154 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1155 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1156 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1157 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1158 cert.public_key()
1159 )
1160 assert ext.value == ski
1161
1162 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1163 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1164 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1165 _skip_curve_unsupported(backend, ec.SECP384R1())
1166 cert = _load_cert(
1167 os.path.join("x509", "ecdsa_root.pem"),
1168 x509.load_pem_x509_certificate,
1169 backend
1170 )
1171
1172 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1173 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1174 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1175 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1176 cert.public_key()
1177 )
1178 assert ext.value == ski
1179
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1180
1181@pytest.mark.requires_backend_interface(interface=RSABackend)
1182@pytest.mark.requires_backend_interface(interface=X509Backend)
1183class TestKeyUsageExtension(object):
1184 def test_no_key_usage(self, backend):
1185 cert = _load_cert(
1186 os.path.join("x509", "verisign_md2_root.pem"),
1187 x509.load_pem_x509_certificate,
1188 backend
1189 )
1190 ext = cert.extensions
1191 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1192 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1193
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1194 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1195
1196 def test_all_purposes(self, backend):
1197 cert = _load_cert(
1198 os.path.join(
1199 "x509", "custom", "all_key_usages.pem"
1200 ),
1201 x509.load_pem_x509_certificate,
1202 backend
1203 )
1204 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1205 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1206 assert ext is not None
1207
1208 ku = ext.value
1209 assert ku.digital_signature is True
1210 assert ku.content_commitment is True
1211 assert ku.key_encipherment is True
1212 assert ku.data_encipherment is True
1213 assert ku.key_agreement is True
1214 assert ku.key_cert_sign is True
1215 assert ku.crl_sign is True
1216 assert ku.encipher_only is True
1217 assert ku.decipher_only is True
1218
1219 def test_key_cert_sign_crl_sign(self, backend):
1220 cert = _load_cert(
1221 os.path.join(
1222 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1223 ),
1224 x509.load_der_x509_certificate,
1225 backend
1226 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1227 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1228 assert ext is not None
1229 assert ext.critical is True
1230
1231 ku = ext.value
1232 assert ku.digital_signature is False
1233 assert ku.content_commitment is False
1234 assert ku.key_encipherment is False
1235 assert ku.data_encipherment is False
1236 assert ku.key_agreement is False
1237 assert ku.key_cert_sign is True
1238 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1239
1240
1241@pytest.mark.parametrize(
1242 "name", [
1243 x509.RFC822Name,
1244 x509.DNSName,
1245 x509.UniformResourceIdentifier
1246 ]
1247)
1248class TestTextGeneralNames(object):
1249 def test_not_text(self, name):
1250 with pytest.raises(TypeError):
1251 name(b"notaunicodestring")
1252
1253 with pytest.raises(TypeError):
1254 name(1.3)
1255
1256 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1257 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1258 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1259
1260 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1261 gn = name(u"string")
1262 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1263 assert gn == gn2
1264
1265 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1266 gn = name(u"string")
1267 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1268 assert gn != gn2
1269 assert gn != object()
1270
1271
1272class TestDirectoryName(object):
1273 def test_not_name(self):
1274 with pytest.raises(TypeError):
1275 x509.DirectoryName(b"notaname")
1276
1277 with pytest.raises(TypeError):
1278 x509.DirectoryName(1.3)
1279
1280 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1281 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1282 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1283 if six.PY3:
1284 assert repr(gn) == (
1285 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1286 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1287 ">])>)>"
1288 )
1289 else:
1290 assert repr(gn) == (
1291 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1292 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1293 ")>])>)>"
1294 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1295
1296 def test_eq(self):
1297 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1298 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1299 ])
1300 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1301 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1302 ])
1303 gn = x509.DirectoryName(x509.Name([name]))
1304 gn2 = x509.DirectoryName(x509.Name([name2]))
1305 assert gn == gn2
1306
1307 def test_ne(self):
1308 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1309 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1310 ])
1311 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1312 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1313 ])
1314 gn = x509.DirectoryName(x509.Name([name]))
1315 gn2 = x509.DirectoryName(x509.Name([name2]))
1316 assert gn != gn2
1317 assert gn != object()
1318
1319
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1320class TestRFC822Name(object):
1321 def test_invalid_email(self):
1322 with pytest.raises(ValueError):
1323 x509.RFC822Name(u"Name <email>")
1324
1325 with pytest.raises(ValueError):
1326 x509.RFC822Name(u"")
1327
1328 def test_single_label(self):
1329 gn = x509.RFC822Name(u"administrator")
1330 assert gn.value == u"administrator"
1331
1332 def test_idna(self):
1333 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1334 assert gn.value == u"email@em\xe5\xefl.com"
1335 assert gn._encoded == b"email@xn--eml-vla4c.com"
1336
1337
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1338class TestUniformResourceIdentifier(object):
1339 def test_no_parsed_hostname(self):
1340 gn = x509.UniformResourceIdentifier(u"singlelabel")
1341 assert gn.value == u"singlelabel"
1342
1343 def test_with_port(self):
1344 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1345 assert gn.value == u"singlelabel:443/test"
1346
1347 def test_idna_no_port(self):
1348 gn = x509.UniformResourceIdentifier(
1349 u"http://\u043f\u044b\u043a\u0430.cryptography"
1350 )
1351 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1352 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1353
1354 def test_idna_with_port(self):
1355 gn = x509.UniformResourceIdentifier(
1356 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1357 )
1358 assert gn.value == (
1359 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1360 )
1361 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1362
1363 def test_query_and_fragment(self):
1364 gn = x509.UniformResourceIdentifier(
1365 u"ldap://cryptography:90/path?query=true#somedata"
1366 )
1367 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1368
1369
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1370class TestRegisteredID(object):
1371 def test_not_oid(self):
1372 with pytest.raises(TypeError):
1373 x509.RegisteredID(b"notanoid")
1374
1375 with pytest.raises(TypeError):
1376 x509.RegisteredID(1.3)
1377
1378 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1379 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1380 assert repr(gn) == (
1381 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1382 "e)>)>"
1383 )
1384
1385 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1386 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1387 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1388 assert gn == gn2
1389
1390 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1391 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1392 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1393 assert gn != gn2
1394 assert gn != object()
1395
1396
1397class TestIPAddress(object):
1398 def test_not_ipaddress(self):
1399 with pytest.raises(TypeError):
1400 x509.IPAddress(b"notanipaddress")
1401
1402 with pytest.raises(TypeError):
1403 x509.IPAddress(1.3)
1404
1405 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1406 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1407 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1408
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1409 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1410 assert repr(gn2) == "<IPAddress(value=ff::)>"
1411
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1412 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1413 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1414
1415 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1416 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1417
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1418 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1419 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1420 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1421 assert gn == gn2
1422
1423 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1424 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1425 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1426 assert gn != gn2
1427 assert gn != object()
1428
1429
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1430class TestOtherName(object):
1431 def test_invalid_args(self):
1432 with pytest.raises(TypeError):
1433 x509.OtherName(b"notanobjectidentifier", b"derdata")
1434
1435 with pytest.raises(TypeError):
1436 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1437
1438 def test_repr(self):
1439 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1440 if six.PY3:
1441 assert repr(gn) == (
1442 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1443 "name=Unknown OID)>, value=b'derdata')>"
1444 )
1445 else:
1446 assert repr(gn) == (
1447 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1448 "name=Unknown OID)>, value='derdata')>"
1449 )
1450
1451 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1452 if six.PY3:
1453 assert repr(gn) == (
1454 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1455 "name=pseudonym)>, value=b'derdata')>"
1456 )
1457 else:
1458 assert repr(gn) == (
1459 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1460 "name=pseudonym)>, value='derdata')>"
1461 )
1462
1463 def test_eq(self):
1464 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1465 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1466 assert gn == gn2
1467
1468 def test_ne(self):
1469 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1470 assert gn != object()
1471
1472 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1473 assert gn != gn2
1474
1475 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1476 assert gn != gn2
1477
1478
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1479class TestGeneralNames(object):
1480 def test_get_values_for_type(self):
1481 gns = x509.GeneralNames(
1482 [x509.DNSName(u"cryptography.io")]
1483 )
1484 names = gns.get_values_for_type(x509.DNSName)
1485 assert names == [u"cryptography.io"]
1486
1487 def test_iter_names(self):
1488 gns = x509.GeneralNames([
1489 x509.DNSName(u"cryptography.io"),
1490 x509.DNSName(u"crypto.local"),
1491 ])
1492 assert len(gns) == 2
1493 assert list(gns) == [
1494 x509.DNSName(u"cryptography.io"),
1495 x509.DNSName(u"crypto.local"),
1496 ]
1497
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1498 def test_indexing(self):
1499 gn = x509.GeneralNames([
1500 x509.DNSName(u"cryptography.io"),
1501 x509.DNSName(u"crypto.local"),
1502 x509.DNSName(u"another.local"),
1503 x509.RFC822Name(u"email@another.local"),
1504 x509.UniformResourceIdentifier(u"http://another.local"),
1505 ])
1506 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame^]1507 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1508
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1509 def test_invalid_general_names(self):
1510 with pytest.raises(TypeError):
1511 x509.GeneralNames(
1512 [x509.DNSName(u"cryptography.io"), "invalid"]
1513 )
1514
1515 def test_repr(self):
1516 gns = x509.GeneralNames(
1517 [
1518 x509.DNSName(u"cryptography.io")
1519 ]
1520 )
1521 assert repr(gns) == (
1522 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1523 )
1524
1525 def test_eq(self):
1526 gns = x509.GeneralNames(
1527 [x509.DNSName(u"cryptography.io")]
1528 )
1529 gns2 = x509.GeneralNames(
1530 [x509.DNSName(u"cryptography.io")]
1531 )
1532 assert gns == gns2
1533
1534 def test_ne(self):
1535 gns = x509.GeneralNames(
1536 [x509.DNSName(u"cryptography.io")]
1537 )
1538 gns2 = x509.GeneralNames(
1539 [x509.RFC822Name(u"admin@cryptography.io")]
1540 )
1541 assert gns != gns2
1542 assert gns != object()
1543
1544
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1545class TestIssuerAlternativeName(object):
1546 def test_get_values_for_type(self):
1547 san = x509.IssuerAlternativeName(
1548 [x509.DNSName(u"cryptography.io")]
1549 )
1550 names = san.get_values_for_type(x509.DNSName)
1551 assert names == [u"cryptography.io"]
1552
1553 def test_iter_names(self):
1554 san = x509.IssuerAlternativeName([
1555 x509.DNSName(u"cryptography.io"),
1556 x509.DNSName(u"crypto.local"),
1557 ])
1558 assert len(san) == 2
1559 assert list(san) == [
1560 x509.DNSName(u"cryptography.io"),
1561 x509.DNSName(u"crypto.local"),
1562 ]
1563
1564 def test_invalid_general_names(self):
1565 with pytest.raises(TypeError):
1566 x509.IssuerAlternativeName(
1567 [x509.DNSName(u"cryptography.io"), "invalid"]
1568 )
1569
1570 def test_repr(self):
1571 san = x509.IssuerAlternativeName(
1572 [
1573 x509.DNSName(u"cryptography.io")
1574 ]
1575 )
1576 assert repr(san) == (
1577 "<IssuerAlternativeName("
1578 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1579 )
1580
1581 def test_eq(self):
1582 san = x509.IssuerAlternativeName(
1583 [x509.DNSName(u"cryptography.io")]
1584 )
1585 san2 = x509.IssuerAlternativeName(
1586 [x509.DNSName(u"cryptography.io")]
1587 )
1588 assert san == san2
1589
1590 def test_ne(self):
1591 san = x509.IssuerAlternativeName(
1592 [x509.DNSName(u"cryptography.io")]
1593 )
1594 san2 = x509.IssuerAlternativeName(
1595 [x509.RFC822Name(u"admin@cryptography.io")]
1596 )
1597 assert san != san2
1598 assert san != object()
1599
1600
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1601@pytest.mark.requires_backend_interface(interface=RSABackend)
1602@pytest.mark.requires_backend_interface(interface=X509Backend)
1603class TestRSAIssuerAlternativeNameExtension(object):
1604 def test_uri(self, backend):
1605 cert = _load_cert(
1606 os.path.join("x509", "custom", "ian_uri.pem"),
1607 x509.load_pem_x509_certificate,
1608 backend,
1609 )
1610 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1611 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1612 )
1613 assert list(ext.value) == [
1614 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1615 ]
1616
1617
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1618class TestCRLNumber(object):
1619 def test_eq(self):
1620 crl_number = x509.CRLNumber(15)
1621 assert crl_number == x509.CRLNumber(15)
1622
1623 def test_ne(self):
1624 crl_number = x509.CRLNumber(15)
1625 assert crl_number != x509.CRLNumber(14)
1626 assert crl_number != object()
1627
1628 def test_repr(self):
1629 crl_number = x509.CRLNumber(15)
1630 assert repr(crl_number) == "<CRLNumber(15)>"
1631
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1632 def test_invalid_number(self):
1633 with pytest.raises(TypeError):
1634 x509.CRLNumber("notanumber")
1635
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1636 def test_hash(self):
1637 c1 = x509.CRLNumber(1)
1638 c2 = x509.CRLNumber(1)
1639 c3 = x509.CRLNumber(2)
1640 assert hash(c1) == hash(c2)
1641 assert hash(c1) != hash(c3)
1642
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1643
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1644class TestSubjectAlternativeName(object):
1645 def test_get_values_for_type(self):
1646 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1647 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1648 )
1649 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1650 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1651
1652 def test_iter_names(self):
1653 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1654 x509.DNSName(u"cryptography.io"),
1655 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1656 ])
1657 assert len(san) == 2
1658 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1659 x509.DNSName(u"cryptography.io"),
1660 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1661 ]
1662
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1663 def test_indexing(self):
1664 san = x509.SubjectAlternativeName([
1665 x509.DNSName(u"cryptography.io"),
1666 x509.DNSName(u"crypto.local"),
1667 x509.DNSName(u"another.local"),
1668 x509.RFC822Name(u"email@another.local"),
1669 x509.UniformResourceIdentifier(u"http://another.local"),
1670 ])
1671 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame^]1672 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1673
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1674 def test_invalid_general_names(self):
1675 with pytest.raises(TypeError):
1676 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1677 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1678 )
1679
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1680 def test_repr(self):
1681 san = x509.SubjectAlternativeName(
1682 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1683 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1684 ]
1685 )
1686 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1687 "<SubjectAlternativeName("
1688 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1689 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1690
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1691 def test_eq(self):
1692 san = x509.SubjectAlternativeName(
1693 [x509.DNSName(u"cryptography.io")]
1694 )
1695 san2 = x509.SubjectAlternativeName(
1696 [x509.DNSName(u"cryptography.io")]
1697 )
1698 assert san == san2
1699
1700 def test_ne(self):
1701 san = x509.SubjectAlternativeName(
1702 [x509.DNSName(u"cryptography.io")]
1703 )
1704 san2 = x509.SubjectAlternativeName(
1705 [x509.RFC822Name(u"admin@cryptography.io")]
1706 )
1707 assert san != san2
1708 assert san != object()
1709
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1710
1711@pytest.mark.requires_backend_interface(interface=RSABackend)
1712@pytest.mark.requires_backend_interface(interface=X509Backend)
1713class TestRSASubjectAlternativeNameExtension(object):
1714 def test_dns_name(self, backend):
1715 cert = _load_cert(
1716 os.path.join("x509", "cryptography.io.pem"),
1717 x509.load_pem_x509_certificate,
1718 backend
1719 )
1720 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1721 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1722 )
1723 assert ext is not None
1724 assert ext.critical is False
1725
1726 san = ext.value
1727
1728 dns = san.get_values_for_type(x509.DNSName)
1729 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1730
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1731 def test_wildcard_dns_name(self, backend):
1732 cert = _load_cert(
1733 os.path.join("x509", "wildcard_san.pem"),
1734 x509.load_pem_x509_certificate,
1735 backend
1736 )
1737 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1738 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1739 )
1740
1741 dns = ext.value.get_values_for_type(x509.DNSName)
1742 assert dns == [
1743 u'*.langui.sh',
1744 u'langui.sh',
1745 u'*.saseliminator.com',
1746 u'saseliminator.com'
1747 ]
1748
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1749 def test_san_empty_hostname(self, backend):
1750 cert = _load_cert(
1751 os.path.join(
1752 "x509", "custom", "san_empty_hostname.pem"
1753 ),
1754 x509.load_pem_x509_certificate,
1755 backend
1756 )
1757 san = cert.extensions.get_extension_for_oid(
1758 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1759 )
1760
1761 dns = san.value.get_values_for_type(x509.DNSName)
1762 assert dns == [u'']
1763
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1764 def test_san_wildcard_idna_dns_name(self, backend):
1765 cert = _load_cert(
1766 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1767 x509.load_pem_x509_certificate,
1768 backend
1769 )
1770 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1771 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1772 )
1773
1774 dns = ext.value.get_values_for_type(x509.DNSName)
1775 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1776
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1777 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1778 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1779 os.path.join("x509", "san_x400address.der"),
1780 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1781 backend
1782 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1783 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1784 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1785
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1786 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1787
1788 def test_registered_id(self, backend):
1789 cert = _load_cert(
1790 os.path.join(
1791 "x509", "custom", "san_registered_id.pem"
1792 ),
1793 x509.load_pem_x509_certificate,
1794 backend
1795 )
1796 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1797 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1798 )
1799 assert ext is not None
1800 assert ext.critical is False
1801
1802 san = ext.value
1803 rid = san.get_values_for_type(x509.RegisteredID)
1804 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1805
1806 def test_uri(self, backend):
1807 cert = _load_cert(
1808 os.path.join(
1809 "x509", "custom", "san_uri_with_port.pem"
1810 ),
1811 x509.load_pem_x509_certificate,
1812 backend
1813 )
1814 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1815 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1816 )
1817 assert ext is not None
1818 uri = ext.value.get_values_for_type(
1819 x509.UniformResourceIdentifier
1820 )
1821 assert uri == [
1822 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1823 u"lo",
1824 u"http://someregulardomain.com",
1825 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1826
1827 def test_ipaddress(self, backend):
1828 cert = _load_cert(
1829 os.path.join(
1830 "x509", "custom", "san_ipaddr.pem"
1831 ),
1832 x509.load_pem_x509_certificate,
1833 backend
1834 )
1835 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1836 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1837 )
1838 assert ext is not None
1839 assert ext.critical is False
1840
1841 san = ext.value
1842
1843 ip = san.get_values_for_type(x509.IPAddress)
1844 assert [
1845 ipaddress.ip_address(u"127.0.0.1"),
1846 ipaddress.ip_address(u"ff::")
1847 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1848
1849 def test_dirname(self, backend):
1850 cert = _load_cert(
1851 os.path.join(
1852 "x509", "custom", "san_dirname.pem"
1853 ),
1854 x509.load_pem_x509_certificate,
1855 backend
1856 )
1857 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1858 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1859 )
1860 assert ext is not None
1861 assert ext.critical is False
1862
1863 san = ext.value
1864
1865 dirname = san.get_values_for_type(x509.DirectoryName)
1866 assert [
1867 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1868 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1869 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1870 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1871 ])
1872 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1873
1874 def test_rfc822name(self, backend):
1875 cert = _load_cert(
1876 os.path.join(
1877 "x509", "custom", "san_rfc822_idna.pem"
1878 ),
1879 x509.load_pem_x509_certificate,
1880 backend
1881 )
1882 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1883 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1884 )
1885 assert ext is not None
1886 assert ext.critical is False
1887
1888 san = ext.value
1889
1890 rfc822name = san.get_values_for_type(x509.RFC822Name)
1891 assert [u"email@em\xe5\xefl.com"] == rfc822name
1892
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1893 def test_idna2003_invalid(self, backend):
1894 cert = _load_cert(
1895 os.path.join(
1896 "x509", "custom", "san_idna2003_dnsname.pem"
1897 ),
1898 x509.load_pem_x509_certificate,
1899 backend
1900 )
1901 with pytest.raises(UnicodeError):
1902 cert.extensions
1903
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1904 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1905 cert = _load_cert(
1906 os.path.join(
1907 "x509", "custom", "san_idna_names.pem"
1908 ),
1909 x509.load_pem_x509_certificate,
1910 backend
1911 )
1912 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1913 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1914 )
1915 assert ext is not None
1916 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1917 dns_name = ext.value.get_values_for_type(x509.DNSName)
1918 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1919 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1920 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1921 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1922
1923 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1924 cert = _load_cert(
1925 os.path.join(
1926 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1927 ),
1928 x509.load_pem_x509_certificate,
1929 backend
1930 )
1931 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1932 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1933 )
1934 assert ext is not None
1935 assert ext.critical is False
1936
1937 san = ext.value
1938
1939 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1940 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1941 dns = san.get_values_for_type(x509.DNSName)
1942 ip = san.get_values_for_type(x509.IPAddress)
1943 dirname = san.get_values_for_type(x509.DirectoryName)
1944 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1945 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1946 assert [u"cryptography.io"] == dns
1947 assert [
1948 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1949 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1950 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1951 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1952 ),
1953 ])
1954 ] == dirname
1955 assert [
1956 ipaddress.ip_address(u"127.0.0.1"),
1957 ipaddress.ip_address(u"ff::")
1958 ] == ip
1959
1960 def test_invalid_rfc822name(self, backend):
1961 cert = _load_cert(
1962 os.path.join(
1963 "x509", "custom", "san_rfc822_names.pem"
1964 ),
1965 x509.load_pem_x509_certificate,
1966 backend
1967 )
1968 with pytest.raises(ValueError) as exc:
1969 cert.extensions
1970
1971 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1972
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1973 def test_other_name(self, backend):
1974 cert = _load_cert(
1975 os.path.join(
1976 "x509", "custom", "san_other_name.pem"
1977 ),
1978 x509.load_pem_x509_certificate,
1979 backend
1980 )
1981
1982 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1983 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1984 )
1985 assert ext is not None
1986 assert ext.critical is False
1987
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1988 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1989 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1990 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1991 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1992
1993 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1994 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1995
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1996
1997@pytest.mark.requires_backend_interface(interface=RSABackend)
1998@pytest.mark.requires_backend_interface(interface=X509Backend)
1999class TestExtendedKeyUsageExtension(object):
2000 def test_eku(self, backend):
2001 cert = _load_cert(
2002 os.path.join(
2003 "x509", "custom", "extended_key_usage.pem"
2004 ),
2005 x509.load_pem_x509_certificate,
2006 backend
2007 )
2008 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2009 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2010 )
2011 assert ext is not None
2012 assert ext.critical is False
2013
2014 assert [
2015 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2016 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2017 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2018 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2019 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2020 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2021 x509.ObjectIdentifier("2.5.29.37.0"),
2022 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2023 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2024
2025
2026class TestAccessDescription(object):
2027 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2028 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2029 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2030
2031 def test_invalid_access_location(self):
2032 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2033 x509.AccessDescription(
2034 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2035 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2036
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2037 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2038 ad = x509.AccessDescription(
2039 ObjectIdentifier("2.999.1"),
2040 x509.UniformResourceIdentifier(u"http://example.com")
2041 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2042 assert ad is not None
2043
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2044 def test_repr(self):
2045 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2046 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2047 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2048 )
2049 assert repr(ad) == (
2050 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2051 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2052 "(value=http://ocsp.domain.com)>)>"
2053 )
2054
2055 def test_eq(self):
2056 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2057 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2058 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2059 )
2060 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2061 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2062 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2063 )
2064 assert ad == ad2
2065
2066 def test_ne(self):
2067 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2068 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2069 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2070 )
2071 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2072 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2073 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2074 )
2075 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2076 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2077 x509.UniformResourceIdentifier(u"http://notthesame")
2078 )
2079 assert ad != ad2
2080 assert ad != ad3
2081 assert ad != object()
2082
2083
2084class TestAuthorityInformationAccess(object):
2085 def test_invalid_descriptions(self):
2086 with pytest.raises(TypeError):
2087 x509.AuthorityInformationAccess(["notanAccessDescription"])
2088
2089 def test_iter_len(self):
2090 aia = x509.AuthorityInformationAccess([
2091 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2092 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2093 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2094 ),
2095 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2096 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2097 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2098 )
2099 ])
2100 assert len(aia) == 2
2101 assert list(aia) == [
2102 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2103 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2104 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2105 ),
2106 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2107 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2108 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2109 )
2110 ]
2111
2112 def test_repr(self):
2113 aia = x509.AuthorityInformationAccess([
2114 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2115 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2116 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2117 ),
2118 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2119 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2120 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2121 )
2122 ])
2123 assert repr(aia) == (
2124 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2125 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2126 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2127 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2128 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2129 "fier(value=http://domain.com/ca.crt)>)>])>"
2130 )
2131
2132 def test_eq(self):
2133 aia = x509.AuthorityInformationAccess([
2134 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2135 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2136 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2137 ),
2138 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2139 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2140 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2141 )
2142 ])
2143 aia2 = x509.AuthorityInformationAccess([
2144 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2145 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2146 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2147 ),
2148 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2149 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2150 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2151 )
2152 ])
2153 assert aia == aia2
2154
2155 def test_ne(self):
2156 aia = x509.AuthorityInformationAccess([
2157 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2158 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2159 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2160 ),
2161 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2162 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2163 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2164 )
2165 ])
2166 aia2 = x509.AuthorityInformationAccess([
2167 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2168 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2169 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2170 ),
2171 ])
2172
2173 assert aia != aia2
2174 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2175
2176
2177@pytest.mark.requires_backend_interface(interface=RSABackend)
2178@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2179class TestAuthorityInformationAccessExtension(object):
2180 def test_aia_ocsp_ca_issuers(self, backend):
2181 cert = _load_cert(
2182 os.path.join("x509", "cryptography.io.pem"),
2183 x509.load_pem_x509_certificate,
2184 backend
2185 )
2186 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2187 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2188 )
2189 assert ext is not None
2190 assert ext.critical is False
2191
2192 assert ext.value == x509.AuthorityInformationAccess([
2193 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2194 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2195 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2196 ),
2197 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2198 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2199 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2200 ),
2201 ])
2202
2203 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2204 cert = _load_cert(
2205 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2206 x509.load_pem_x509_certificate,
2207 backend
2208 )
2209 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2210 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2211 )
2212 assert ext is not None
2213 assert ext.critical is False
2214
2215 assert ext.value == x509.AuthorityInformationAccess([
2216 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2217 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2218 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2219 ),
2220 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2221 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2222 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2223 ),
2224 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2225 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2226 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2227 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2228 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2229 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2230 ]))
2231 ),
2232 ])
2233
2234 def test_aia_ocsp_only(self, backend):
2235 cert = _load_cert(
2236 os.path.join("x509", "custom", "aia_ocsp.pem"),
2237 x509.load_pem_x509_certificate,
2238 backend
2239 )
2240 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2241 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2242 )
2243 assert ext is not None
2244 assert ext.critical is False
2245
2246 assert ext.value == x509.AuthorityInformationAccess([
2247 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2248 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2249 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2250 ),
2251 ])
2252
2253 def test_aia_ca_issuers_only(self, backend):
2254 cert = _load_cert(
2255 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2256 x509.load_pem_x509_certificate,
2257 backend
2258 )
2259 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2260 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2261 )
2262 assert ext is not None
2263 assert ext.critical is False
2264
2265 assert ext.value == x509.AuthorityInformationAccess([
2266 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2267 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2268 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2269 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2270 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2271 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2272 ]))
2273 ),
2274 ])
2275
2276
2277@pytest.mark.requires_backend_interface(interface=RSABackend)
2278@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2279class TestAuthorityKeyIdentifierExtension(object):
2280 def test_aki_keyid(self, backend):
2281 cert = _load_cert(
2282 os.path.join(
2283 "x509", "cryptography.io.pem"
2284 ),
2285 x509.load_pem_x509_certificate,
2286 backend
2287 )
2288 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2289 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2290 )
2291 assert ext is not None
2292 assert ext.critical is False
2293
2294 assert ext.value.key_identifier == (
2295 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2296 )
2297 assert ext.value.authority_cert_issuer is None
2298 assert ext.value.authority_cert_serial_number is None
2299
2300 def test_aki_all_fields(self, backend):
2301 cert = _load_cert(
2302 os.path.join(
2303 "x509", "custom", "authority_key_identifier.pem"
2304 ),
2305 x509.load_pem_x509_certificate,
2306 backend
2307 )
2308 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2309 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2310 )
2311 assert ext is not None
2312 assert ext.critical is False
2313
2314 assert ext.value.key_identifier == (
2315 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2316 )
2317 assert ext.value.authority_cert_issuer == [
2318 x509.DirectoryName(
2319 x509.Name([
2320 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2321 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2322 ),
2323 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2324 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2325 )
2326 ])
2327 )
2328 ]
2329 assert ext.value.authority_cert_serial_number == 3
2330
2331 def test_aki_no_keyid(self, backend):
2332 cert = _load_cert(
2333 os.path.join(
2334 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2335 ),
2336 x509.load_pem_x509_certificate,
2337 backend
2338 )
2339 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2340 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2341 )
2342 assert ext is not None
2343 assert ext.critical is False
2344
2345 assert ext.value.key_identifier is None
2346 assert ext.value.authority_cert_issuer == [
2347 x509.DirectoryName(
2348 x509.Name([
2349 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2350 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2351 ),
2352 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2353 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2354 )
2355 ])
2356 )
2357 ]
2358 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2359
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2360 def test_from_certificate(self, backend):
2361 issuer_cert = _load_cert(
2362 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2363 x509.load_pem_x509_certificate,
2364 backend
2365 )
2366 cert = _load_cert(
2367 os.path.join("x509", "cryptography.io.pem"),
2368 x509.load_pem_x509_certificate,
2369 backend
2370 )
2371 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2372 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2373 )
2374 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2375 issuer_cert.public_key()
2376 )
2377 assert ext.value == aki
2378
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2379
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2380class TestNameConstraints(object):
2381 def test_ipaddress_wrong_type(self):
2382 with pytest.raises(TypeError):
2383 x509.NameConstraints(
2384 permitted_subtrees=[
2385 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2386 ],
2387 excluded_subtrees=None
2388 )
2389
2390 with pytest.raises(TypeError):
2391 x509.NameConstraints(
2392 permitted_subtrees=None,
2393 excluded_subtrees=[
2394 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2395 ]
2396 )
2397
2398 def test_ipaddress_allowed_type(self):
2399 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2400 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2401 nc = x509.NameConstraints(
2402 permitted_subtrees=permitted,
2403 excluded_subtrees=excluded
2404 )
2405 assert nc.permitted_subtrees == permitted
2406 assert nc.excluded_subtrees == excluded
2407
2408 def test_invalid_permitted_subtrees(self):
2409 with pytest.raises(TypeError):
2410 x509.NameConstraints("badpermitted", None)
2411
2412 def test_invalid_excluded_subtrees(self):
2413 with pytest.raises(TypeError):
2414 x509.NameConstraints(None, "badexcluded")
2415
2416 def test_no_subtrees(self):
2417 with pytest.raises(ValueError):
2418 x509.NameConstraints(None, None)
2419
2420 def test_permitted_none(self):
2421 excluded = [x509.DNSName(u"name.local")]
2422 nc = x509.NameConstraints(
2423 permitted_subtrees=None, excluded_subtrees=excluded
2424 )
2425 assert nc.permitted_subtrees is None
2426 assert nc.excluded_subtrees is not None
2427
2428 def test_excluded_none(self):
2429 permitted = [x509.DNSName(u"name.local")]
2430 nc = x509.NameConstraints(
2431 permitted_subtrees=permitted, excluded_subtrees=None
2432 )
2433 assert nc.permitted_subtrees is not None
2434 assert nc.excluded_subtrees is None
2435
2436 def test_repr(self):
2437 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2438 nc = x509.NameConstraints(
2439 permitted_subtrees=permitted,
2440 excluded_subtrees=None
2441 )
2442 assert repr(nc) == (
2443 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2444 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2445 )
2446
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2447 def test_eq(self):
2448 nc = x509.NameConstraints(
2449 permitted_subtrees=[x509.DNSName(u"name.local")],
2450 excluded_subtrees=[x509.DNSName(u"name2.local")]
2451 )
2452 nc2 = x509.NameConstraints(
2453 permitted_subtrees=[x509.DNSName(u"name.local")],
2454 excluded_subtrees=[x509.DNSName(u"name2.local")]
2455 )
2456 assert nc == nc2
2457
2458 def test_ne(self):
2459 nc = x509.NameConstraints(
2460 permitted_subtrees=[x509.DNSName(u"name.local")],
2461 excluded_subtrees=[x509.DNSName(u"name2.local")]
2462 )
2463 nc2 = x509.NameConstraints(
2464 permitted_subtrees=[x509.DNSName(u"name.local")],
2465 excluded_subtrees=None
2466 )
2467 nc3 = x509.NameConstraints(
2468 permitted_subtrees=None,
2469 excluded_subtrees=[x509.DNSName(u"name2.local")]
2470 )
2471
2472 assert nc != nc2
2473 assert nc != nc3
2474 assert nc != object()
2475
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2476
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2477@pytest.mark.requires_backend_interface(interface=RSABackend)
2478@pytest.mark.requires_backend_interface(interface=X509Backend)
2479class TestNameConstraintsExtension(object):
2480 def test_permitted_excluded(self, backend):
2481 cert = _load_cert(
2482 os.path.join(
2483 "x509", "custom", "nc_permitted_excluded_2.pem"
2484 ),
2485 x509.load_pem_x509_certificate,
2486 backend
2487 )
2488 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2489 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2490 ).value
2491 assert nc == x509.NameConstraints(
2492 permitted_subtrees=[
2493 x509.DNSName(u"zombo.local"),
2494 ],
2495 excluded_subtrees=[
2496 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2497 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2498 ]))
2499 ]
2500 )
2501
2502 def test_permitted(self, backend):
2503 cert = _load_cert(
2504 os.path.join(
2505 "x509", "custom", "nc_permitted_2.pem"
2506 ),
2507 x509.load_pem_x509_certificate,
2508 backend
2509 )
2510 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2511 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2512 ).value
2513 assert nc == x509.NameConstraints(
2514 permitted_subtrees=[
2515 x509.DNSName(u"zombo.local"),
2516 ],
2517 excluded_subtrees=None
2518 )
2519
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2520 def test_permitted_with_leading_period(self, backend):
2521 cert = _load_cert(
2522 os.path.join(
2523 "x509", "custom", "nc_permitted.pem"
2524 ),
2525 x509.load_pem_x509_certificate,
2526 backend
2527 )
2528 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2529 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2530 ).value
2531 assert nc == x509.NameConstraints(
2532 permitted_subtrees=[
2533 x509.DNSName(u".cryptography.io"),
2534 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2535 ],
2536 excluded_subtrees=None
2537 )
2538
2539 def test_excluded_with_leading_period(self, backend):
2540 cert = _load_cert(
2541 os.path.join(
2542 "x509", "custom", "nc_excluded.pem"
2543 ),
2544 x509.load_pem_x509_certificate,
2545 backend
2546 )
2547 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2548 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2549 ).value
2550 assert nc == x509.NameConstraints(
2551 permitted_subtrees=None,
2552 excluded_subtrees=[
2553 x509.DNSName(u".cryptography.io"),
2554 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2555 ]
2556 )
2557
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2558 def test_permitted_excluded_with_ips(self, backend):
2559 cert = _load_cert(
2560 os.path.join(
2561 "x509", "custom", "nc_permitted_excluded.pem"
2562 ),
2563 x509.load_pem_x509_certificate,
2564 backend
2565 )
2566 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2567 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2568 ).value
2569 assert nc == x509.NameConstraints(
2570 permitted_subtrees=[
2571 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2572 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2573 ],
2574 excluded_subtrees=[
2575 x509.DNSName(u".domain.com"),
2576 x509.UniformResourceIdentifier(u"http://test.local"),
2577 ]
2578 )
2579
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2580 def test_single_ip_netmask(self, backend):
2581 cert = _load_cert(
2582 os.path.join(
2583 "x509", "custom", "nc_single_ip_netmask.pem"
2584 ),
2585 x509.load_pem_x509_certificate,
2586 backend
2587 )
2588 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2589 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2590 ).value
2591 assert nc == x509.NameConstraints(
2592 permitted_subtrees=[
2593 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2594 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2595 ],
2596 excluded_subtrees=None
2597 )
2598
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2599 def test_invalid_netmask(self, backend):
2600 cert = _load_cert(
2601 os.path.join(
2602 "x509", "custom", "nc_invalid_ip_netmask.pem"
2603 ),
2604 x509.load_pem_x509_certificate,
2605 backend
2606 )
2607 with pytest.raises(ValueError):
2608 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2609 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2610 )
2611
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2612
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2613class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2614 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2615 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2616 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2617
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2618 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2619 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2620 x509.DistributionPoint(None, "notname", None, None)
2621
2622 def test_distribution_point_full_and_relative_not_none(self):
2623 with pytest.raises(ValueError):
2624 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2625
2626 def test_crl_issuer_not_general_names(self):
2627 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2628 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2629
2630 def test_reason_not_reasonflags(self):
2631 with pytest.raises(TypeError):
2632 x509.DistributionPoint(
2633 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2634 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2635 frozenset(["notreasonflags"]),
2636 None
2637 )
2638
2639 def test_reason_not_frozenset(self):
2640 with pytest.raises(TypeError):
2641 x509.DistributionPoint(
2642 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2643 None,
2644 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2645 None
2646 )
2647
2648 def test_disallowed_reasons(self):
2649 with pytest.raises(ValueError):
2650 x509.DistributionPoint(
2651 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2652 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2653 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2654 None
2655 )
2656
2657 with pytest.raises(ValueError):
2658 x509.DistributionPoint(
2659 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2660 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2661 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2662 None
2663 )
2664
2665 def test_reason_only(self):
2666 with pytest.raises(ValueError):
2667 x509.DistributionPoint(
2668 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2669 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2670 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2671 None
2672 )
2673
2674 def test_eq(self):
2675 dp = x509.DistributionPoint(
2676 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2677 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2678 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2679 [
2680 x509.DirectoryName(
2681 x509.Name([
2682 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2683 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2684 )
2685 ])
2686 )
2687 ],
2688 )
2689 dp2 = x509.DistributionPoint(
2690 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2691 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2692 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2693 [
2694 x509.DirectoryName(
2695 x509.Name([
2696 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2697 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2698 )
2699 ])
2700 )
2701 ],
2702 )
2703 assert dp == dp2
2704
2705 def test_ne(self):
2706 dp = x509.DistributionPoint(
2707 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2708 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2709 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2710 [
2711 x509.DirectoryName(
2712 x509.Name([
2713 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2714 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2715 )
2716 ])
2717 )
2718 ],
2719 )
2720 dp2 = x509.DistributionPoint(
2721 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2722 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2723 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2724 None
2725 )
2726 assert dp != dp2
2727 assert dp != object()
2728
2729 def test_repr(self):
2730 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2731 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2732 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2733 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2734 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2735 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2736 [
2737 x509.DirectoryName(
2738 x509.Name([
2739 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2740 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2741 )
2742 ])
2743 )
2744 ],
2745 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2746 if six.PY3:
2747 assert repr(dp) == (
2748 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2749 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2750 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2751 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2752 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2753 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2754 )
2755 else:
2756 assert repr(dp) == (
2757 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2758 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2759 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2760 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2761 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2762 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2763 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2764
2765
2766class TestCRLDistributionPoints(object):
2767 def test_invalid_distribution_points(self):
2768 with pytest.raises(TypeError):
2769 x509.CRLDistributionPoints(["notadistributionpoint"])
2770
2771 def test_iter_len(self):
2772 cdp = x509.CRLDistributionPoints([
2773 x509.DistributionPoint(
2774 [x509.UniformResourceIdentifier(u"http://domain")],
2775 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2776 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2777 None
2778 ),
2779 x509.DistributionPoint(
2780 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2781 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2782 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2783 x509.ReasonFlags.key_compromise,
2784 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2785 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2786 None
2787 ),
2788 ])
2789 assert len(cdp) == 2
2790 assert list(cdp) == [
2791 x509.DistributionPoint(
2792 [x509.UniformResourceIdentifier(u"http://domain")],
2793 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2794 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2795 None
2796 ),
2797 x509.DistributionPoint(
2798 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2799 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2800 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2801 x509.ReasonFlags.key_compromise,
2802 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2803 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2804 None
2805 ),
2806 ]
2807
2808 def test_repr(self):
2809 cdp = x509.CRLDistributionPoints([
2810 x509.DistributionPoint(
2811 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2812 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2813 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2814 None
2815 ),
2816 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2817 if six.PY3:
2818 assert repr(cdp) == (
2819 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2820 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2821 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2822 "romise'>}), crl_issuer=None)>])>"
2823 )
2824 else:
2825 assert repr(cdp) == (
2826 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2827 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2828 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2829 "romise'>]), crl_issuer=None)>])>"
2830 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2831
2832 def test_eq(self):
2833 cdp = x509.CRLDistributionPoints([
2834 x509.DistributionPoint(
2835 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2836 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2837 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2838 x509.ReasonFlags.key_compromise,
2839 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2840 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2841 [x509.UniformResourceIdentifier(u"uri://thing")],
2842 ),
2843 ])
2844 cdp2 = x509.CRLDistributionPoints([
2845 x509.DistributionPoint(
2846 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2847 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2848 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2849 x509.ReasonFlags.key_compromise,
2850 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2851 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2852 [x509.UniformResourceIdentifier(u"uri://thing")],
2853 ),
2854 ])
2855 assert cdp == cdp2
2856
2857 def test_ne(self):
2858 cdp = x509.CRLDistributionPoints([
2859 x509.DistributionPoint(
2860 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2861 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2862 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2863 x509.ReasonFlags.key_compromise,
2864 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2865 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2866 [x509.UniformResourceIdentifier(u"uri://thing")],
2867 ),
2868 ])
2869 cdp2 = x509.CRLDistributionPoints([
2870 x509.DistributionPoint(
2871 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2872 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2873 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2874 x509.ReasonFlags.key_compromise,
2875 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2876 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2877 [x509.UniformResourceIdentifier(u"uri://thing")],
2878 ),
2879 ])
2880 cdp3 = x509.CRLDistributionPoints([
2881 x509.DistributionPoint(
2882 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2883 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2884 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2885 [x509.UniformResourceIdentifier(u"uri://thing")],
2886 ),
2887 ])
2888 cdp4 = x509.CRLDistributionPoints([
2889 x509.DistributionPoint(
2890 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2891 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2892 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2893 x509.ReasonFlags.key_compromise,
2894 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2895 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2896 [x509.UniformResourceIdentifier(u"uri://thing2")],
2897 ),
2898 ])
2899 assert cdp != cdp2
2900 assert cdp != cdp3
2901 assert cdp != cdp4
2902 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2903
2904
2905@pytest.mark.requires_backend_interface(interface=RSABackend)
2906@pytest.mark.requires_backend_interface(interface=X509Backend)
2907class TestCRLDistributionPointsExtension(object):
2908 def test_fullname_and_crl_issuer(self, backend):
2909 cert = _load_cert(
2910 os.path.join(
2911 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2912 ),
2913 x509.load_der_x509_certificate,
2914 backend
2915 )
2916
2917 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2918 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2919 ).value
2920
2921 assert cdps == x509.CRLDistributionPoints([
2922 x509.DistributionPoint(
2923 full_name=[x509.DirectoryName(
2924 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2925 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2926 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2927 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2928 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2929 ),
2930 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2931 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2932 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2933 ),
2934 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2935 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2936 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2937 ),
2938 ])
2939 )],
2940 relative_name=None,
2941 reasons=None,
2942 crl_issuer=[x509.DirectoryName(
2943 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2944 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2945 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2946 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2947 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2948 ),
2949 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2950 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2951 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2952 ),
2953 ])
2954 )],
2955 )
2956 ])
2957
2958 def test_relativename_and_crl_issuer(self, backend):
2959 cert = _load_cert(
2960 os.path.join(
2961 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2962 ),
2963 x509.load_der_x509_certificate,
2964 backend
2965 )
2966
2967 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2968 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2969 ).value
2970
2971 assert cdps == x509.CRLDistributionPoints([
2972 x509.DistributionPoint(
2973 full_name=None,
2974 relative_name=x509.Name([
2975 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2976 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2977 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2978 ),
2979 ]),
2980 reasons=None,
2981 crl_issuer=[x509.DirectoryName(
2982 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2983 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2984 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2985 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2986 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2987 ),
2988 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2989 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2990 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2991 ),
2992 ])
2993 )],
2994 )
2995 ])
2996
2997 def test_fullname_crl_issuer_reasons(self, backend):
2998 cert = _load_cert(
2999 os.path.join(
3000 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3001 ),
3002 x509.load_pem_x509_certificate,
3003 backend
3004 )
3005
3006 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3007 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3008 ).value
3009
3010 assert cdps == x509.CRLDistributionPoints([
3011 x509.DistributionPoint(
3012 full_name=[x509.UniformResourceIdentifier(
3013 u"http://myhost.com/myca.crl"
3014 )],
3015 relative_name=None,
3016 reasons=frozenset([
3017 x509.ReasonFlags.key_compromise,
3018 x509.ReasonFlags.ca_compromise
3019 ]),
3020 crl_issuer=[x509.DirectoryName(
3021 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3022 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3023 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3024 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3025 ),
3026 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3027 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3028 ),
3029 ])
3030 )],
3031 )
3032 ])
3033
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3034 def test_all_reasons(self, backend):
3035 cert = _load_cert(
3036 os.path.join(
3037 "x509", "custom", "cdp_all_reasons.pem"
3038 ),
3039 x509.load_pem_x509_certificate,
3040 backend
3041 )
3042
3043 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3044 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3045 ).value
3046
3047 assert cdps == x509.CRLDistributionPoints([
3048 x509.DistributionPoint(
3049 full_name=[x509.UniformResourceIdentifier(
3050 u"http://domain.com/some.crl"
3051 )],
3052 relative_name=None,
3053 reasons=frozenset([
3054 x509.ReasonFlags.key_compromise,
3055 x509.ReasonFlags.ca_compromise,
3056 x509.ReasonFlags.affiliation_changed,
3057 x509.ReasonFlags.superseded,
3058 x509.ReasonFlags.privilege_withdrawn,
3059 x509.ReasonFlags.cessation_of_operation,
3060 x509.ReasonFlags.aa_compromise,
3061 x509.ReasonFlags.certificate_hold,
3062 ]),
3063 crl_issuer=None
3064 )
3065 ])
3066
3067 def test_single_reason(self, backend):
3068 cert = _load_cert(
3069 os.path.join(
3070 "x509", "custom", "cdp_reason_aa_compromise.pem"
3071 ),
3072 x509.load_pem_x509_certificate,
3073 backend
3074 )
3075
3076 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3077 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3078 ).value
3079
3080 assert cdps == x509.CRLDistributionPoints([
3081 x509.DistributionPoint(
3082 full_name=[x509.UniformResourceIdentifier(
3083 u"http://domain.com/some.crl"
3084 )],
3085 relative_name=None,
3086 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3087 crl_issuer=None
3088 )
3089 ])
3090
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3091 def test_crl_issuer_only(self, backend):
3092 cert = _load_cert(
3093 os.path.join(
3094 "x509", "custom", "cdp_crl_issuer.pem"
3095 ),
3096 x509.load_pem_x509_certificate,
3097 backend
3098 )
3099
3100 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3101 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3102 ).value
3103
3104 assert cdps == x509.CRLDistributionPoints([
3105 x509.DistributionPoint(
3106 full_name=None,
3107 relative_name=None,
3108 reasons=None,
3109 crl_issuer=[x509.DirectoryName(
3110 x509.Name([
3111 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3112 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3113 ),
3114 ])
3115 )],
3116 )
3117 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3118
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3119 def test_crl_empty_hostname(self, backend):
3120 cert = _load_cert(
3121 os.path.join(
3122 "x509", "custom", "cdp_empty_hostname.pem"
3123 ),
3124 x509.load_pem_x509_certificate,
3125 backend
3126 )
3127
3128 cdps = cert.extensions.get_extension_for_oid(
3129 ExtensionOID.CRL_DISTRIBUTION_POINTS
3130 ).value
3131
3132 assert cdps == x509.CRLDistributionPoints([
3133 x509.DistributionPoint(
3134 full_name=[x509.UniformResourceIdentifier(
3135 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3136 )],
3137 relative_name=None,
3138 reasons=None,
3139 crl_issuer=None
3140 )
3141 ])
3142
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3143
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3144@pytest.mark.requires_backend_interface(interface=RSABackend)
3145@pytest.mark.requires_backend_interface(interface=X509Backend)
3146class TestOCSPNoCheckExtension(object):
3147 def test_nocheck(self, backend):
3148 cert = _load_cert(
3149 os.path.join(
3150 "x509", "custom", "ocsp_nocheck.pem"
3151 ),
3152 x509.load_pem_x509_certificate,
3153 backend
3154 )
3155 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3156 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3157 )
3158 assert isinstance(ext.value, x509.OCSPNoCheck)
3159
3160
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3161class TestInhibitAnyPolicy(object):
3162 def test_not_int(self):
3163 with pytest.raises(TypeError):
3164 x509.InhibitAnyPolicy("notint")
3165
3166 def test_negative_int(self):
3167 with pytest.raises(ValueError):
3168 x509.InhibitAnyPolicy(-1)
3169
3170 def test_repr(self):
3171 iap = x509.InhibitAnyPolicy(0)
3172 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3173
3174 def test_eq(self):
3175 iap = x509.InhibitAnyPolicy(1)
3176 iap2 = x509.InhibitAnyPolicy(1)
3177 assert iap == iap2
3178
3179 def test_ne(self):
3180 iap = x509.InhibitAnyPolicy(1)
3181 iap2 = x509.InhibitAnyPolicy(4)
3182 assert iap != iap2
3183 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3184
3185
3186@pytest.mark.requires_backend_interface(interface=RSABackend)
3187@pytest.mark.requires_backend_interface(interface=X509Backend)
3188class TestInhibitAnyPolicyExtension(object):
3189 def test_nocheck(self, backend):
3190 cert = _load_cert(
3191 os.path.join(
3192 "x509", "custom", "inhibit_any_policy_5.pem"
3193 ),
3194 x509.load_pem_x509_certificate,
3195 backend
3196 )
3197 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3198 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3199 ).value
3200 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3201
3202
3203@pytest.mark.requires_backend_interface(interface=RSABackend)
3204@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3205class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3206 def test_invalid_certificate_policies_data(self, backend):
3207 cert = _load_cert(
3208 os.path.join(
3209 "x509", "custom", "cp_invalid.pem"
3210 ),
3211 x509.load_pem_x509_certificate,
3212 backend
3213 )
3214 with pytest.raises(ValueError):
3215 cert.extensions